CVE-2024-8852 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the All-in-One WP Migration and Backup plugin for WordPress, developed by yaniiliev. This plugin is widely used for migrating and backing up WordPress sites. The vulnerability exists in all versions up to and including 7.86, where log files generated by the plugin are publicly accessible without authentication. These log files contain sensitive information such as full file system paths, which can reveal internal directory structures and potentially other sensitive data. The exposure occurs because the plugin does not properly restrict access to these logs, allowing any unauthenticated remote attacker to retrieve them simply by accessing the relevant URLs. The CVSS v3.1 base score is 5.3, indicating a medium severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely without privileges or user interaction, and the impact is limited to confidentiality loss. No integrity or availability impacts are noted. No patches or fixes are currently linked, and no known exploits in the wild have been reported as of the publication date. This vulnerability primarily facilitates reconnaissance by exposing internal paths that can assist attackers in crafting further attacks or identifying other vulnerabilities in the environment.

The primary impact of CVE-2024-8852 is the unauthorized disclosure of sensitive information, specifically full file system paths contained in publicly accessible log files. While this does not directly compromise the integrity or availability of the affected systems, the exposure of internal directory structures can significantly aid attackers in planning more targeted and effective attacks, such as path traversal, local file inclusion, or privilege escalation exploits. Organizations relying on the All-in-One WP Migration and Backup plugin may inadvertently expose their internal infrastructure details, increasing their attack surface. This can be particularly damaging for high-profile or sensitive websites, where attackers could leverage this information to identify backup locations, configuration files, or other sensitive resources. The vulnerability is exploitable remotely without authentication or user interaction, increasing the risk of automated scanning and exploitation attempts. Although no active exploits are currently known, the medium severity rating and ease of access make it a notable risk for WordPress sites worldwide.

To mitigate CVE-2024-8852, organizations should first verify if they are using the All-in-One WP Migration and Backup plugin version 7.86 or earlier. Until an official patch is released, administrators should restrict access to the plugin’s log files by implementing web server-level access controls, such as configuring .htaccess rules on Apache or location blocks on NGINX to deny public access to log directories or files. Additionally, consider disabling or limiting logging features if feasible. Regularly monitor web server logs for suspicious access attempts to these log files. Employ a web application firewall (WAF) with rules to block unauthorized requests targeting known log file paths. Keep the WordPress core, plugins, and themes updated and subscribe to security advisories from the plugin vendor or trusted sources. Once a patch is available, apply it promptly. Finally, conduct periodic security audits to ensure no sensitive files are publicly accessible and review file permissions to minimize exposure.